Skip to main content
CVE-2026-58196 LOW POC PATCH GHSA Monitor

Server-Side Request Forgery in ToolHive's host-side authentication discovery flow allows a malicious or compromised remote MCP server to force the ToolHive host process to issue arbitrary internal HTTP GET requests with redirect following and no address filtering, bypassing the container isolation that ToolHive is architecturally designed to enforce. Affected versions include all releases through v0.29.3 (commit b672d82f confirmed 2026-06-14); the fix is available in v0.31.0. A publicly reproducible proof-of-concept with recording exists demonstrating retrieval of cloud instance metadata via AWS IMDSv1 redirect; no CISA KEV listing is present, but the exploit is fully operationalized without special infrastructure on any deployment with IMDSv1 enabled.

SSRF
NVD GitHub
CVSS 3.1
4.7
CVE-2026-62683 LOW PATCH Monitor

File Browser prior to 2.63.17 retains stale public directory share records after a shared directory is deleted via a trailing-slash path, because the Bolt storage backend queries for shares using the unnormalized path before trimming the slash - causing the exact-match share record (stored as '/a') to be missed by a query against '/a/'. If the directory is subsequently recreated at the same path, any holder of the original share URL immediately gains unauthorized read access to the new directory contents. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Filebrowser
NVD GitHub
CVSS 3.1
3.1
CVE-2026-40958 LOW PATCH Monitor

Non-persistent denial-of-service affecting Absolute Secure Access clients prior to version 14.55 can be triggered by an attacker who possesses intimate knowledge of and total control over the underlying tunnel protocol, yielding low availability impact limited to the client process. The CVSS 4.0 score of 2.3 reflects the highly constrained exploitation requirements captured by AT:P and UI:P - this is not opportunistic exploitation but a targeted, condition-heavy attack against a specific client. No active exploitation has been identified, no public exploit code exists, and the DoS is explicitly described as non-persistent, meaning the client recovers without lasting damage.

Information Disclosure Secure Access
NVD
CVSS 4.0
2.3
CVE-2026-15921 LOW PATCH Monitor

Path traversal in nvm versions 0.32.1 through 0.40.5 allows a hostile Node.js mirror to overwrite arbitrary files in the victim's home directory, including shell startup files, leading to code execution on the next shell session. The vulnerability exists in `nvm ls-remote`, `nvm install --lts`, and any other nvm command that refreshes remote LTS aliases by fetching and parsing a mirror's `index.tab` - the LTS codename field is used as an alias filename without sanitization, permitting sequences like `../../../.bashrc` to escape `$NVM_DIR/alias`. No public exploit identified at time of analysis, but a working proof-of-concept is embedded in the upstream test suite added in the fix commit.

Node.js Path Traversal RCE Nvm
NVD GitHub
CVSS 4.0
2.1
CVE-2026-40956 LOW PATCH Monitor

Memory disclosure in Absolute Security Secure Access client (versions prior to 14.55) permits a small, indeterminate amount of process memory to leak to an adversary who has already achieved full control over the tunnel protocol. The CVSS 4.0 score of 2.1 accurately reflects the narrow real-world impact: an attacker must simultaneously possess intimate protocol knowledge and the ability to manipulate tunnel communications end-to-end, a prerequisite that dramatically limits the exploitable population. No public exploit code exists and the vulnerability does not appear in the CISA KEV catalog, reinforcing its low operational priority for most enterprises.

Information Disclosure Secure Access
NVD
CVSS 4.0
2.1
CVE-2026-40955 LOW PATCH Monitor

Integer underflow in the traffic parsing function of Absolute Security Secure Access clients prior to version 14.55 enables a non-persistent denial-of-service condition against the client application. Exploitation demands the attacker possess intimate knowledge of the proprietary tunnel protocol AND maintain total control over that tunnel - an exceptionally high bar that drastically limits realistic attacker population. The impact is restricted to temporarily disrupting the Secure Access client on the victim endpoint; the service recovers without persistent damage. No public exploit code exists and this vulnerability is not listed in CISA KEV.

Information Disclosure Secure Access Integer Overflow
NVD
CVSS 4.0
2.1
CVE-2026-40954 LOW PATCH Monitor

Integer underflow in Absolute Security's Secure Access client prior to version 14.55 allows an attacker with full control over the tunnel protocol to cause a non-persistent denial of service against the client. The exploitation bar is extremely high - the attacker must possess both intimate knowledge of the proprietary tunnel protocol and total control over the communication channel. No public exploit code exists and this vulnerability is not listed in CISA KEV; the vendor-reported CVSS 4.0 score of 2.1 reflects the negligible real-world risk.

Information Disclosure Secure Access Integer Overflow
NVD
CVSS 4.0
2.1
CVE-2026-61869 LOW PATCH Monitor

Memory leak in ImageMagick's MIFF encoder (CWE-401) affects the 7.x branch before 7.1.2-26 and the 6.x branch before 6.9.13-51, enabling denial of service through resource exhaustion. When a memory allocation fails during MIFF image encoding, previously allocated buffers are not released, causing memory to accumulate across repeated processing calls. The CVSS 4.0 score of 2.1 and a local attack vector (AV:L) with high complexity (AC:H) and specific prerequisites (AT:P) signal a low-priority finding with no public exploit and no CISA KEV listing.

Denial Of Service Imagemagick
NVD GitHub
CVSS 4.0
2.1
CVE-2026-61867 LOW PATCH Monitor

Memory leak in ImageMagick's TIFF encoder before version 7.1.2-26 enables denial of service via controlled memory allocation failures. An attacker who can submit TIFF images for processing can repeatedly trigger allocation failures, causing the encoder to leak memory without releasing it, ultimately exhausting available system memory. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.1 reflects the constrained local attack vector and low availability impact.

Denial Of Service Imagemagick
NVD GitHub
CVSS 4.0
2.1
CVE-2026-61866 LOW PATCH Monitor

Memory leak in ImageMagick's JNG encoder before version 7.1.2-26 enables local resource exhaustion when malformed JNG files cause blob open failures without subsequent memory release. The flaw is classified CWE-401 and carries a CVSS 4.0 score of just 2.1, reflecting a local attack vector, high complexity, and availability-only impact - no confidentiality or integrity loss is possible. No public exploit code and no active exploitation (CISA KEV) have been identified, making this a low-priority finding relevant primarily to services that batch-process untrusted image files.

Denial Of Service Imagemagick
NVD GitHub
CVSS 4.0
2.1
CVE-2026-61865 LOW PATCH Monitor

ImageMagick's hough lines operation leaks a small amount of memory when a specific internal sub-operation fails, affecting the 7.x branch before 7.1.2-26 and the 6.x legacy branch before 6.9.13-51. This CWE-401 flaw is locally exploitable only under high attack complexity with specific prerequisites, producing a low availability impact with no confidentiality or integrity consequence - reflected in the CVSS 4.0 score of 2.1. No public exploit or active exploitation has been identified at time of analysis; this is a low-priority maintenance patch with no realistic threat-actor motivation.

Information Disclosure Imagemagick
NVD GitHub
CVSS 4.0
2.1
CVE-2026-61864 LOW PATCH Monitor

ImageMagick's log colorspace color transformation leaks a small amount of memory when the operation fails, affecting versions prior to 7.1.2-26 and 6.9.13-51. The flaw (CWE-401) resides in an error-handling code path that fails to release allocated memory, meaning repeated invocations that trigger failures could contribute to incremental memory exhaustion. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified; the CVSS 4.0 score of 2.1 reflects the highly constrained and low-impact nature of this issue.

Information Disclosure Imagemagick
NVD GitHub
CVSS 4.0
2.1
CVE-2026-61863 LOW PATCH Monitor

ImageMagick's TIFF encoder leaks a small quantity of memory when a temporary file cannot be created during encoding operations, affecting versions 7.x before 7.1.2-26 and 6.x before 6.9.13-51. The CVSS 4.0 score of 2.1 and vector (AV:L/AC:H/AT:P) place this firmly in minimal-severity territory: exploitation is local, requires high complexity, and depends on a platform-specific precondition. No public exploit has been identified, the flaw is not listed in CISA KEV, and the described impact is limited to a small, incremental availability reduction with no confidentiality or integrity consequences.

Information Disclosure Imagemagick
NVD GitHub
CVSS 4.0
2.1
CVE-2026-61862 LOW PATCH Monitor

ImageMagick before 7.1.2-26 (7.x branch) and 6.9.13-51 (6.x branch) discloses one byte of process memory beyond a profile boundary when the `identify` command is run with debug output enabled and the embedded profile ends with a non-printable byte. The out-of-bounds read (CWE-125) is highly conditional - requiring local access, explicit debug mode activation, and a specifically crafted profile payload - keeping real-world impact extremely low despite ImageMagick's broad deployment footprint. No public exploit code or active exploitation has been identified at time of analysis.

Buffer Overflow Information Disclosure Imagemagick
NVD GitHub
CVSS 4.0
2.1
CVE-2026-61872 LOW PATCH Monitor

Memory leak in ImageMagick's TIFF encoder - affecting the 7.x branch before 7.1.2-26 and the 6.x branch before 6.9.13-51 - allows an attacker or application to cause gradual memory exhaustion by repeatedly supplying an invalid tiff:tile-geometry parameter during TIFF encoding operations. The flaw scores 2.0 under CVSS 4.0 with only low availability impact, a local attack vector, high complexity, and prerequisite conditions, placing it firmly in the low-severity tier. No public exploit code has been identified and the vulnerability is absent from the CISA KEV catalog, indicating no confirmed active exploitation at the time of analysis.

Information Disclosure Imagemagick
NVD GitHub
CVSS 4.0
2.0
CVE-2026-61464 LOW PATCH Monitor

Heap-based buffer over-write in ImageMagick's X11 import functionality exposes local systems to heap memory corruption and denial of service when processing a crafted X11 window title. Affected versions span both the 7.x branch (before 7.1.2-26) and the legacy 6.x branch (before 6.9.13-51), covering a large installed base across Linux and Unix environments. No public exploit identified at time of analysis, and the narrow exploitation conditions - requiring local privileged access with X11 in scope - significantly constrain real-world risk despite the CWE-122 heap overflow class.

Heap Overflow Buffer Overflow Denial Of Service Imagemagick
NVD GitHub VulDB
CVSS 4.0
1.0
CVE-2026-54450 LOW POC PATCH GHSA Monitor

ToolHive's hand-maintained SSRF guard (`networking.IsPrivateIP`) omits IPv6 NAT64 prefixes `64:ff9b::/96` (RFC 6052) and `64:ff9b:1::/48` (RFC 8215), allowing addresses like `64:ff9b:1::a9fe:a9fe` - the NAT64 encoding of the cloud metadata endpoint `169.254.169.254` - to be misclassified as globally routable and pass unchecked. On ToolHive deployments behind a NAT64/DNS64 gateway (the default in IPv6-only Kubernetes clusters and several IPv6-only cloud environments), an unauthenticated attacker can submit a crafted OAuth `client_id` URL that causes ToolHive's CIMD fetcher to dial internal or link-local addresses the guard is intended to block, achieving a blind internal-reachability oracle. Practical impact is limited to TCP/TLS connection probing rather than credential exfiltration due to HTTPS-only enforcement and TLS verification on the attacker-controlled path; a complete proof-of-concept is publicly available in the vendor advisory, and no public exploit identified at time of analysis as a KEV-listed active campaign.

Kubernetes Microsoft SSRF Oracle
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy